Rich- Thanks for your response. The client is my own Linux client using OpenSSL. So are you saying that I need to do certificate validation on my own, at least as far as checking for revocation? That's assuming the solution isn't to concatenate the files as described previously. I am not concerned with getting updated CRLs, I just want to know how to properly check for revocation once I have a CRL in /etc/ssl/crls on the client. Can you give a brief high-level view of what I'd need to do this in my client without the file appending? Thanks!
> From: rs...@akamai.com > To: openssl-users@openssl.org > Date: Wed, 30 Jul 2014 15:15:51 -0400 > Subject: RE: Can't get my CRL to work on my OpenSSL client > > > However, I do have a question. Is there any way around this requirement? > > The requirement of apending the root certificate and CRL files on the > > client machine in /etc/ssl/crls? > > It totally depends on the client program that you are using. So, which > client? The validation code won't, on its own, look at something like the > CRL-DP and fetch things for you. > > /r$ > > -- > Principal Security Engineer > Akamai Technologies, Cambridge MA > IM: rs...@jabber.me Twitter: RichSalz > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org
